b"                  U.S. Small Business Administration\n\n                           Office of Inspector General\n\n                            Washington, DC 20416\n\n\n\n                               September 15, 1999\n\n\nTO:\t         Elizabeth Montoya\n             Associate Deputy Administrator for Management and Administration\n\n\n\n\nSUBJECT: Survey of Electronic Records Management\n\n\n        Attached is an Audit Memorandum on Electronic Records Management\n(ERM). It summarizes the results of a survey we conducted of SBA\xe2\x80\x99s policies and\nprocedures related to ERM. It also makes a recommendation that your office\nimplement an ERM program to meet regulatory requirements. Your response to the\ndraft report indicated your awareness of the importance of this issue.\n\n       The findings included in this report are the conclusions of the Office of\nInspector General's Auditing Division. The findings and recommendation are\nsubject to review, management decision, and corrective action by your\noffice in accordance with existing Agency procedures for audit follow-up\nand resolution.\n\n        Please provide your proposed management decision for the\nrecommendation on the attached SBA Form 1824, Recommendation Action Sheet,\nwithin 30 days. If you disagree with the recommendation, please provide your\nreasons in writing.\n\n        This report may contain proprietary information subject to the provisions of\n18 USC 1905. Do not release to the public or another agency without permission of\nthe Office of Inspector General.\n\nAttachment\n\x0c                  U.S. Small Business Administration\n\n                           Office of Inspector General\n\n                            Washington, DC 20416\n\n\n\n\n                                                   AUDIT MEMORANDUM\n                                                  Issue Date: September 15, 1999\n                                                  Report Number: 9-23\n\n\nTO:         Elizabeth Montoya\n            Associate Deputy Administrator for Management and Administration\n\n\n\n\nSUBJECT: Survey of Electronic Records Management\n\n       After completing a survey, the Auditing Division decided not to perform an\naudit of SBA\xe2\x80\x99s electronic records management (ERM) program at this time. We\nconsidered an audit because (1) the agency has become increasingly dependent\non electronic records, and (2) magnetic tapes containing records needed for a prior\naudit were inappropriately erased. We decided not to conduct the audit because\nSBA\xe2\x80\x99s ERM program is in too early a stage of development. This memorandum\ncontains our findings and recommendation based on the survey.\n\n                                    BACKGROUND\n\n       With the growing reliance on automated systems and electronic records,\nelectronic records management (ERM) is a challenge not only for SBA, but also for\nthe entire Federal Government. According to the National Archives and Records\nAdministration, the agency responsible for developing and providing recordkeeping\nguidance in the Federal Government,\n\n      \xe2\x80\x9cElectronic records pose the biggest challenge ever to recordkeeping\n      in the Federal Government and elsewhere. How do we identify,\n      manage, preserve, and provide on-going access to e-mail, word-\n      processing documents, and other kinds of electronic records that are\n      proliferating in formats, mushrooming in quantity, and vulnerable to\n      quick deletion, media instability, and system obsolescence? There is\n\x0c        no option to finding answers, however, because the alternative is\n        irretrievable information, unverifiable documentation, diminished\n        government accountability, and lost history.\n\n        Federal agencies are required to make and preserve complete and accurate\nrecords of their organization, functions, policies, decisions, procedures, and\nessential transactions to (1) support their current operations, (2) enable review of\ntheir actions and (3) promote accountability. Records can exist in a variety of forms,\nsuch as paper, film, magnetic tape, and diskette. At SBA, the Office of\nAdministration is primarily responsible for records management, however, every\nagency employee has some records management responsibility.\n\n      ERM involves the creation, maintenance, use, and disposition of computer\ngenerated records. ERM requirements and guidance at SBA include\n\n   \xe2\x80\xa2\t 36 Code of Federal Regulations (CFR) 1222 - Creation and Maintenance of\n      Federal Records,\n   \xe2\x80\xa2\t 36 CFR 1228 - Disposition of Federal Records,\n   \xe2\x80\xa2\t 36 CFR 1234 - Electronic Records Management,\n   \xe2\x80\xa2\t OMB Circular A-130, Appendix III - Security of Federal Automated\n\n      Information Resources, and\n\n   \xe2\x80\xa2\t SBA Standard Operating Procedure (SOP) 00 41 2 - Records Management\n      Program.\n\n       SBA creates, maintains, and relies on a variety of electronic records to\nconduct its missions and document its activities. These records include\napproximately 20,000 mainframe computer tapes containing financial and\nprogrammatic information, e-mail correspondence, internet files, and on-line\nnotices, policies and procedures.\n\n                                     METHODOLOGY\n\n        We reviewed laws, regulations, policies and procedures related to ERM;\ninterviewed SBA officials and contractor personnel involved in ERM; and distributed\nquestionnaires to 12 SBA program offices in headquarters and 3 district offices.\n\n                                    SURVEY RESULTS\n\n        SBA\xe2\x80\x99s had not implemented a comprehensive ERM program. The survey\nfound\n\n   \xe2\x80\xa2\t SBA had not developed complete inventories and disposition schedules for\n      its electronic records,\n   \xe2\x80\xa2\t Program offices were not aware of ERM requirements, and\n   \xe2\x80\xa2\t ERM guidance was lacking.\n\n\n                                          2\n\n\x0c      Lack of a comprehensive ERM program could result in\n\n   \xe2\x80\xa2\t Unavailability of accurate and timely information needed for reliable decision\n      making, operational activities and meeting legal requirements,\n   \xe2\x80\xa2\t Inefficiencies such as excessive time spent seeking records and costs of\n      maintaining unnecessary or duplicative records, and\n   \xe2\x80\xa2\t Negative publicity if critical records are lost.\n\n       We found that SBA was, however, making progress in this area. During the\nsurvey, the Office of Administration and the Chief Information Officer initiated\nprojects to update the Records Management SOP, identify the agency\xe2\x80\x99s strategic\nERM requirements and evaluate automated ERM systems. Further details on\nproblems noted during the survey follow.\n\nInventories and Disposition Schedules for Electronic Records\n\n        SBA had not developed complete inventories and disposition schedules for\nits electronic records. In order to properly manage electronic records, inventories\nshould be prepared and maintained that include descriptions, media, locations,\nvolumes, inclusive dates, informational content, and use (36 CFR 1228.22).\nDisposition schedules are needed to ensure efficient, prompt and orderly reduction\nin the quantity of records and to provide for the proper maintenance of permanent\nrecords (36 CFR 1228.10).\n\n       SOP 00 41 02 had a listing of SBA\xe2\x80\x99s official records and disposition\nschedules. The SOP did not, however, include electronic records prepared and\nmaintained by eight of the offices responding to the survey questionnaire. In\naddition, neither the SOP nor an inventory from OCIO have all the information\nrequired by 36 CFR 1228.22 for the electronic records that were identified. This\noccurred, in part, automated information systems were developed without thorough\nconsideration of ERM requirements.\n\nERM Awareness\n\n       Some program offices were not aware of ERM requirements. For example,\nquestionnaire responses showed a lack of understanding that (1) electronic records\nshould be included in the schedules listed in the Records Management SOP, and\n(2) descriptions, retention requirements and disposition schedules for electronic\nrecords should be developed and submitted to the Office of Administration. The\nOffice of Administration was working with the SBA program offices to develop\ncomprehensive records disposition schedules.\n\n\n\n\n                                         3\n\n\x0c        Other offices, while aware of ERM requirements, expressed a need for (1)\ninclusion of ERM considerations in systems development projects, (2) assignment\nof responsibilities, and (3) development of disposition schedules.\n\nERM Guidance\n\n        Several offices indicated in their questionnaire responses a need for\nadditional guidance, as well as training, in areas such as distinguishing \xe2\x80\x9crecord\xe2\x80\x9d\nfrom \xe2\x80\x9cnon-record\xe2\x80\x9d material, storage and retention requirements, responsibilities,\nand handling of e-mail. The Office of Administration did provide some ERM\nguidance and training, however, it stated that it did not have funding for an agency-\nwide electronic records management program to ensure all employees were aware\nof their ERM responsibilities.\n\n       The Records Management SOP described the possible forms of electronic\nrecords in stating that \xe2\x80\x9celectronic files that may meet the definition of official records\ninclude e-mail, voice mail, floppy disks, and fax and Internet transmissions.\xe2\x80\x9d It did\nnot, however, give specific examples for determining when such materials are\nrecords or not.\n\n                                 RECOMMENDATION\n\n      We recommend that the Associate Deputy Administrator for Management\nand Administration implement an Electronic Records Management program that\nmeets the requirements of 36 CFR 1222, 36 CFR 1228, and 36 CFR 1234, such as\n\n   \xe2\x80\xa2\t Ongoing training for all agency personnel on policies, responsibilities, and\n      techniques for the implementation of recordkeeping requirements and the\n      distinction between record and nonrecord materials, regardless of media,\n      including those materials created by individuals using computers to send or\n      receive electronic mail.\n   \xe2\x80\xa2\t Preparation of an inventory of electronic records that includes description of\n      medium, location, volume, inclusive dates, informational content and use.\n   \xe2\x80\xa2\t Development and implementation of disposition schedules for all electronic\n      records created and received by the agency.\n   \xe2\x80\xa2\t Procedures for the participation of records management officials in\n      developing new or revised agency programs, processes, systems, and\n      procedures in order to ensure that adequate recordkeeping requirements\n      are established and implemented.\n\n\n                                MANAGEMENT RESPONSE\n\n\n\n\n                                            4\n\n\x0c   In response to the draft report, the Associate Deputy Administrator for\nManagement & Administration indicated her awareness of the importance of\nelectronic records management.\n\n\n\n\n                                    5\n\n\x0c                                Distribution List\n\n\n\nAssistant Administrator for Administration\nChief Financial Officer\nChief Information Officer\nGeneral Counsel\n\n\n\n\n                                     6\n\n\x0c"